Carol Monaghan (Glasgow North West) (SNP)

- View Speech - Hansard -

Copy Link

-

We can all agree that the free flow of personal data across borders is essential to the economy, not just within the UK but with other countries, including our biggest trading partner, the EU. Reforms to our data protection framework must have appropriate safeguards in place to ensure that we do not put EU-UK data flows at risk.

Despite the Government’s promises of reforms to empower people in the use of their data, the Bill instead threatens to undermine privacy and data protection. It potentially moves the UK away from the “adequacy” concept in the EU GDPR, and gives weight to the idea that different countries can maintain data protection standards in different but equally effective ways. The only way that we can properly maintain standards is by having a standard across the different trading partners, but the Bill risks creating a scenario where the data of EU citizens could be passed through the UK to countries with which the EU does not have an agreement. The changes are raising red flags in Europe. Many businesses have spoken out about the negative impacts of the Bill’s proposals. Many of them will continue to set their controls to EU standards and operate on EU terms to ensure that they can continue to trade there.

According to conservative estimates, the loss of the adequacy agreement could cost £1.6 billion in legal fees alone. That figure does not include the cost resulting from disruption of digital trade and investments. The Open Rights Group says:

“Navigating multiple data protection regimes will significantly increase costs and create bureaucratic headaches for businesses.”

Although I understand that the Bill is an attempt to reduce the bureaucratic burden for businesses, we are now potentially asking those businesses to operate with two different standards, which will cause them a bigger headache. It would be useful if the Government confirmed that they have sought legal advice on the adequacy impact of the Bill, and that they have confirmed with EU partners that the EU is content that the Bill and its provisions will not harm EU citizens or undermine the trade and co-operation agreement with the EU.

Several clauses of the Bill cause concern. We need more clarity on those that expand the powers of the Home Secretary and the police, and we will require much further discussion on them in Committee. Given what has been revealed over the past few months about the behaviour of some members of the Metropolitan police, there are clauses in the Bill that should cause us concern. A national security certificate that would give the police immunity when they commit crimes by using personal data illegally would cause quite a headache for many of us. The Government have not tried to explain why they think that police should be allowed to operate in the darkness, which they must now rectify if they are to improve public trust.

The Bill will also expand what counts as an “intelligence service” for the purposes of data protection law, again at the Home Secretary's discretion. The Government argue that this would create a “simplified” legal framework, but, in reality, it will hand massive amounts of people’s personal information to the police. This could include the private communications as well as information about an individual’s health, political belief, religious belief or sex life.

The new “designation notice” regime would not be reviewable by the courts, so Parliament might never find out how and when the powers have been used, given that there is no duty to report to Parliament. The Home Secretary is responsible for both approving and reviewing designation notices, and only a person who is “directly affected” by a such a notice will be able to challenge it, yet the Home Secretary would have the power to keep the notice secret, meaning that even those affected would not know it and therefore could not possibly challenge it.

These are expansive broadenings of the powers not only of the Secretary of State, but of the police and security services. If the UK Government cannot adequately justify these powers, which they have not done to date, they must be withdrawn or, at the very least, subject to meaningful parliamentary oversight.

Far from giving people greater power over their data, the Bill will stop the courts, Parliament and individuals from challenging illegal uses of data. Under the Bill, organisations can deny or charge a fee to individuals for the right to access information. The right hon. Member for New Forest East (Sir Julian Lewis) mentioned the difficulty he had with a constituent. I think we can all have some sympathy with that, because many of us have probably experienced similar requests from members of the public. However, it is the public’s right to have access to the data that we hold. If an organisation decides that these requests are “vexatious or excessive”, they can refuse them, but what is “vexatious or excessive”? These words are vague and open to interpretation. Moreover, charging a fee will create a barrier for some people, particularly those on lower incomes, and effectively restricts control of data to more affluent citizens.

The Bill changes current rules that prevent companies and the Government from making solely automated decisions about individuals that could have legal or other significant effects on their lives. We have heard a lot about the potential benefits of AI and how it could be used to enhance our lives, but for public trust and buy-in of AI, we need to know that there is some oversight. Without that, there will always be a question hanging over it. The SyRI case in the Netherlands involved innocuous datasets such as household water usage being used by an automated system to accuse individuals of benefit fraud.

The Government consultation response acknowledges that, for respondents,

“the right to human review of an automated decision was a key safeguard”.

But despite the Government acknowledging the importance of a human review in an automated decision, clause 11, if implemented, would mean that solely automated decision making is permitted in a wider range of contexts. Many of us get excited about AI, but it is important to acknowledge that AI still makes mistakes.

The Bill will allow the Secretary of State to approve international transfers to countries with weak data protection, so even if the Bill does not make data security in the UK weaker, it will weaken the protections of UK citizens’ data by allowing it to be transferred abroad in cases with lower safeguards.

It is useful to hear a couple of stakeholder responses. The Public Law Project has said:

“The Data Protection and Digital Information (No.2) Bill would weaken important data protection rights and safeguards, making it more difficult for people to know how their data is being used”.

The Open Rights Group has said:

“The government has an opportunity to strengthen the UK’s data protection regime post Brexit. However, it is instead setting the country on a dangerous path that undermines trust, furthers economic instability, and erodes fundamental rights.”

Since we are talking about a Bill under the Department for Science, Innovation and Technology, it is important to hear from the Royal Society, which says that losing adequacy with the EU would be damaging for scientific research in the UK, creating new costs and barriers for UK-EU research collaborations. While the right hon. Member for Maldon (Sir John Whittingdale) is right about the importance of being able to share data, particularly scientific data—and we understand the importance of that for things such as covid vaccines—we need to make sure this Bill does not set up further hurdles that could prevent that.

There is probably an awful lot for us to thrash out in Committee. The SNP will not vote against Second Reading tonight, but I appeal to those on the Government Front Bench to give an opportunity for hon. Members to amend and discuss this Bill properly in Committee.